14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing iOS Devices
  3. Supervision

Category filter

iOS Supervised Mode

Jump To

What is Supervision?

Supervision is a procedure designed for institutionally-owned iOS devices. A supervised Apple device lets you have more control over it. You can set additional restrictions, automate actions and more.

By default, all iOS devices are not supervised. Devices can be set up as supervised only prior to activation, that is, before the Set-up Assistant first appears on the device, a brand-new device or fully erased one.

Why do you need to Supervise your iOS devices?

Supervision unlocks the extra features intended for corporate-owned devices. If you want the apps you provision for the devices to install silently, you need to supervise the device.

If you want to blacklist applications, set a global proxy, lock device in single-app mode, force web content filtering or set wallpapers, you need supervision.

Ok, so, how do you supervise a device?

iOS devices can be supervised by using

  • Apple Configurator

    • Or

  • Device Enrollment Program (DEP)

Supervision using Apple Configurator involves hooking up the devices to a Mac whereas Supervision via DEP is entirely over-the-air. Then again, using Apple Configurator is quite handy but the DEP registration and approval may take around 5-10 business days.

Supervising using Apple Configurator 2

Download and install the app Apple Configurator 2 from the Mac App Store. You will require a Mac with OS X 10.6.6 or later. The iOS device should have OS version 6 or above to supervise using Apple Configurator 2. Once these pre-requisites are met, follow the steps to supervise your device.

Step 1: Create a Wi-Fi profile

Wi-Fi Profile Creation
  1. Open Apple Configurator 2.
  2. Click on File > New Profile.

    3. create Wi-Fi profile in Apple Configurator

  3. Give a name to the profile. All other fields are optional.

    4. Select the Security type as With Authorization and provide a password. Set Automatically Remove Profile as Never.
    WiFi-Profile-Creation-2

  4. Select Wi-Fi from the left menu and click Configure.

    5. WiFi-Profile-Creation-3

  5. Give the name of the Wi-Fi network at Service Set Identifier (SSID)
  6. Select Auto join.
  7. Configure the Proxy Setup and select the Security Type.
  8. Provide the Wi-Fi password.
  9. Select Network Type as Standard.

    10. WiFi-Profile-Creation-4

  10. Click on File and Save the profile.

    11. WiFi-Profile-Creation-5
    WiFi-Profile-Creation-6

Step 2: Create Blueprint and add Wi-Fi profile

Blueprint and Wi-Fi profile
  1. On the Apple Configurator window, click on File > New Blueprint. Supervise iOS devices using Apple Configurator
  2. Name the Blueprint.
    Blueprint-and-WiFi-Profile-2
  3. Select the created Blueprint, click on Add > Profiles and select the Wi-Fi profile you created earlier and click Add.
    Blueprint-and-WiFi-Profile-3
    Blueprint-and-WiFi-Profile-4
    Blueprint-and-WiFi-Profile-5

Step 3: Prepare the device

Preparing device
  1. Select the Blueprint and click Prepare.
  2. Select the Configuration type as Manual and click Next.

    3. Preparing-Device-1

  3. To enroll in Hexnode UEM from the Apple Configurator, select New server and click Next.

    4. Preparing-Device-2

  4. Enter the server name and server URL.

    5. Preparing-Device-3

  5. Server URL can be obtained from Enroll > Platform-Specific > iOS > Apple Configurator. Set a default user to activate the enrollment URL and copy it.

    6. Preparing-Device-4

  6. Provide the URL and click Next.

    7. Preparing-Device-5

  7. The required Anchor certificates will be automatically added. Click Next.

    8. Preparing-Device-6
    Preparing-Device-7

  8. Create an organization by providing your organizational details and click Next.

    9. Preparing-Device-8

  9. Select Generate a new supervision identity and click Next.

    10. Prepare the device – generate a new supervision identity

  10. Select the iOS Setup Assistant steps that you want to show up in the device and click Prepare.

    11. Preparing-Device-10
    Preparing-Device-11

Note:

The Blueprint can also be prepared the same way, so that the devices need not be prepared individually. In this case all you need to do is connect the device and apply the Prepared Blueprint.

The next step is to establish a connection between your unsupervised iOS device and Mac with a USB. After connecting, you can see your device in the Apple Configurator window.

Warning

Before connecting the device, make sure the Find My iPhone/iPad is turned off from the iOS device before proceeding with Supervision. Otherwise, you’ll be locked out halfway.

Step 4: Apply Blueprint to iPad or iPhone

Applying Blueprint
  1. Select the device from the Apple Configuration window.
  2. Right-click on the device, select Apply > choose the required Blueprint.

    3. Apply Blueprint to iPhone or iPad

  3. Click Apply.

    4. Apply-Blueprint-2
    Apply-Blueprint-3


Note:

It’ll take a minute or two for the Blueprint to get applied to the device.

Apply-Blueprint-4

Note:

When you boot up the device, the MDM enrollment configuration, the WiFi profile, the Supervision settings and all of that you had set up in the Blueprint will get automatically deployed to the device.

Supervising using Apple Device Enrollment Program (DEP)

The Device Enrollment Program (DEP) is one of the deployment programs by Apple. DEP helps deploying devices in bulk by automatically applying settings and configurations upon the initial device start up, making it ready to be used right out of the box . Over-the-air supervision of iOS devices is possible only if these devices are enrolled in DEP. DEP requires an MDM to Supervise it remotely.

You will have to enroll your organization in DEP to access the program. Once your organization is enrolled and devices are added to ABM, perform the below steps to enroll and supervise your devices:

Configure DEP Profile

Step 1: Configuring DEP Configuration Profile

To configure DEP profile from the Hexnode console, follow the below steps:

  1. Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Configuration Profiles > Configure DEP Profile.
  2. Edit the Default DEP profile or create a new configuration profile by selecting Configure DEP profile.
  3. Here you can provide a Display name and select the option to Enable supervision to make the device supervised upon enrollment.
  4. Click Save.

Here is a list of additional configuration parameters for DEP profile that help customize the DEP-enrolled devices:

  • Department: Name of the department to which the devices are assigned.
  • Support Email Address: Users can query to this email address for support during setup.
  • Support phone number: Users can contact this number if they need help during setup.
  • Enroll Devices in MDM: If enabled, prevents users from bypassing the MDM Remote Management during the initial device setup.
  • Allow MDM Profile Removal: If enabled, the MDM profile can be removed after device enrollment.
  • Allow iTunes pairing: If enabled, users can sync their devices with iTunes. If disabled, every iTunes related actions will be prevented. To re-enable it, the device must be wiped and re-enrolled.
  • Allow Shared Devices:If enabled, multiple users can share Apple School Manager deployed devices.
  • Enable Hexnode UI for Authentication: If disabled, the device management must be set up from Apple’s default Remote Management setup wizard. If enabled, users will be redirected to Hexnode’s default enrollment window. Users can read and agree to the Hexnode EULA terms from here before proceeding with the enrollment. This feature is supported on iOS 13+ and macOS 10.15 or later devices.

    Note:


    The enrollment authentication settings (Authentication Modes) configured in the Enroll > Settings tab will take affect when this option is enabled, irrespective of the User Authentication configurations in the DEP Account and the Enrollment authentication settings in the DEP Configuration Profile.

  • Enrollment authentication settings: Select the mode of authentication for enrollment (Overrides the User authentication at Enroll > All Enrollments > No-Touch > Apple Business/School Manager.) Available options are:
    • No authentication – If enabled, the admin must choose the specific Domain and Default user.
    • Use Global Authentication Settings – If enabled, the authentication mode as selected on Enroll > Settings > Authentication Modes is considered.

    Note:


    If Enable Hexnode UI for Authentication is selected, this configuration will not take effect.

  • Configure user accounts: Enable this option to create an ‘Administrator’ user in Mac devices.
  • Don’t show the selected steps: To have a customized setup experience for your DEP devices upon activation, check the boxes corresponding to steps that you want to avoid during the setup of iOS devices.
All DEP Devices
Set Up Assistant Options Supported versions Description
Apple ID iOS 7.0+ Skip Apple ID setup.
Biometric iOS 8.1+ Skip biometric setup.
True Tone Display iOS 9.3.2+ Skip True Tone Display pane.
Apple Pay iOS 8.1+ Skip Apple Pay setup.
Restore iOS 7.0+ Disable restoring from backup.
ScreenTime iOS 12.0+ Skip the Screen Time pane.
Appearance iOS 13.0+ Skip the Choose Your Look window.
Diagnostics iOS 7.0+ Skip sending diagnostic information to Apple.
Location Services iOS 7.0+ Skip setting up Location Services.
Privacy iOS 11.3+ Skips the privacy pane.
Siri iOS 7.0+ Disable users from configuring Siri.
Terms and Conditions iOS 7.0+ Hide terms and conditions from the user.
iOS only
Set Up Assistant Options Supported versions Description
Move from Android iOS 9.0+ Remove Move from Android option from the Restore pane.
Keyboard iOS 11.0+ Skip the Keyboard pane.
Watch Migration iOS 11.0+ Skip the screen for watch migration.
iMessage and FaceTime iOS 12.0+ Skip the iMessage and FaceTime screen.
Passcode iOS 7.0+ Hides and disables the passcode pane.
SIM Setup iOS 12.0+ Skip the add cellular plan pane.
Onboarding iOS 11.0+ Skip on-boarding informational screens.
Software Update iOS 12.0+ Skip the mandatory software update screen.
Home Button Sensitivity iOS 10.0+ Skip the Home Button screen.
Device to Device Migration iOS 13.0+ Skip Device to Device Migration pane.
Zoom iOS 8.3+ Skip the Zoom pane which shows larger text and controls.
Welcome/Get Started iOS 13.0+ Skip the Get Started pane.

Create a DEP Account in Hexnode

Step 2: Creating a DEP Account in Hexnode

To assign devices to the MDM server,

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager.
  3. Click on Add DEP Account.
  4. Provide an Account name and download the certificate file Hexnode_Apple_DEP_cert.pem.
  5. Now, log in to the Apple Business Manager account.
  6. Click on your name at the bottom left of the sidebar and go to Preferences > MDM server assignment. Here, click on Add MDM Server.
  7. Provide the MDM server name and upload the public key (the previously obtained DEP certificate) and click Save.
  8. Once saved, click on Download Token > Download Server Token.
  9. Now, go back to your Hexnode UEM console and upload the token in the Upload DEP server token file field.
  10. Optionally, you can check the box Add as Pre-approved device to pre-approve the DEP devices that you want to enroll using Hexnode.
  11. Select a Default Configuration Profile. You can either proceed with the Default DEP profile or attach a different configuration profile with the DEP Account, from the drop-down.
  12. Choose the mode of User authentication while enrolling devices.
    • Use global authentication settings: If this option is selected, the authentication mode as selected under Admin > Enrollment > Authentication Modes is considered.
    • No authentication: Device enrollment can be completed without any user authentication. Specify the user to which the device should be assigned.
      • Domain: Choose the domain (Hexnode’s local directory or any integrated directory domains) in which the user resides.
      • Default user: Select the user in the chosen domain to which all the DEP devices should be assigned to.
  13. Click on Next to complete configuring DEP.

Assign Devices to the MDM server

Step 3: Assign Devices to the MDM server

Once the DEP configuration is completed successfully, you can either assign Apple devices individually or as bulk to the device management server.

Note:


By designating a default MDM server, you can automatically assign new devices added to the ABM. To configure a default MDM server in the ABM portal, click on the name at the bottom sidebar and go to Preferences > MDM Server Assignment.

Individual Device Assignment

  1. Select the required device from the Devices page and click on Edit MDM server.
    Edit MDM server for Apple devices in ABM portal
  2. Click on Assign to the following MDM and select the server from the drop-down. Tap Continue.

    Assign Apple devices in ABM to MDM server

  3. On clicking on Confirm, the device is assigned to the management server.

Bulk Device Assignment

  1. From the Devices page, you can either
    • Manually select the devices that you want to assign. On macOS devices, press Command key and select the device names. On Windows, use the control CRTL key.

      Manual selection of ABM devices for bulk assignment to the MDM server

      • Or

    • Apply filters to the list of devices. Filters such as Device Management, Source, Order number, Device type, Storage size are available. To select a filter criterion, tap on Filter below the Search bar and check in the required boxes corresponding to each filter option. Now, click on Search to sort out devices based on the specified criterion. From the filtered device list, you can either select All devices or click on specific device names.

      Configure filter criteria to sort out devices in ABM

      • Select all the filtered devices in ABM portal.

  2. Tap on Edit corresponding to the Edit MDM server option.

    Edit MDM server option in ABM portal.

  3. Select Assign to the following MDM and pick the server from the drop-down. Click on Continue.

    Assign selected devices to the MDM server.

  4. Finally, click on Confirm to assign the device to the management server.

The details of assigned devices including the order number, the MDM server to which the device is assigned, assignment date and the device type is displayed in the device Assignment History.

Sync Devices with Hexnode

Step 4: Sync Devices with Hexnode

Devices added to the Hexnode-specific MDM server in the Apple Business Manager portal must be synced with Hexnode. The information about the newly added devices will be imported into the integrated DEP Account through this synchronization. To sync devices with Hexnode,

  1. Navigate to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > DEP Accounts on your Hexnode UEM portal.
  2. Click on Sync all DEP accounts.

To view all the devices synchronised from the MDM server in the ABM portal, go to DEP Devices. To fetch a list of the devices linked to a specific DEP Account, switch the device filter from All Devices to that DEP Account.

Renew DEP Server Token

One year is the expiration date for the DEP server token. There is no need to upload a new public key to the Apple DEP website since Apple stores the public key permanently. You can create a new server token with the same public key by simply clicking on Generate new token.

Warning:

  • If the organization chooses to release a device from the ABM portal before enrollment, it cannot be enrolled via Apple DEP. Additionally, if the device is released from ABM after enrollment, it will be removed from the ABM portal as well as from the Hexnode UEM portal.
  • Devices released from ABM running iOS 11.0+ can be enrolled back in Hexnode via ‘DEP using Apple Configurator’. However, such devices will not behave as a normal DEP enrolled device during the initial 30 days of deployment. During the 30-day provisional period, the user can remove the MDM management either from the Settings app (General > Device Management > Remove Management) or by performing a device wipe. To remove MDM management on wiping, click on Leave Remote Management on the Remote Management setup wizard.

What happens at the device end?

Once you turn on a device that has not been activated yet and establish an internet connection, Apple server will push the DEP profile previously associated with the device via Hexnode UEM. As a result, the device will be enrolled in the Hexnode UEM portal. However, already activated devices must be reset to its factory settings to get it enrolled in the MDM.

If enrollment authentication was enforced via the MDM, the device will get enrolled only after user authentication. However, if enrollment authentication is not turned on, the device will get directly enrolled in the MDM.

a supervision alert message shows on the device settings

On opening the Settings app, the user will see a banner that shows your organization name along with a link that opens up a manual on Device Supervision.

Troubleshooting Tips

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Managing iOS Devices